Manage Learn to apply best practices and optimize your operations.

Solaris Web services security: Configure network access control

Gary Smith explains how to configure Network Access Control when securing Web services.

Configure Network Access Control
Moving outward, the next step is configuring the access to and from the network.

Disable IP forwarding and IP Routing
To disable IP forwarding do: touch /etc/notrouter.

Block Broadcast Packets
To prevent incoming broadcast packets from entering the network, add the following at the end of /etc/rc2.d/S69inet

ndd -set /dev/ip ip_forward_directed_broadcasts 0

To prevent the system from responding to incoming broadcast packets, add the following command at the end of /etc/rc2.d/S69inet

ndd -set /dev/ip ip_respond_to_echo_broadcast 0

Install WU FTPD
If FTP is required for the Web services consider installing the Washington University FTP (WU-FTPD) daemon available at The WU-FTPD package contains the WU-FTPD FTP (File Transfer Protocol) server daemon. The FTP protocol is a method of transferring files between machines on a network and/or over the Internet. WU-FTPD's features include logging of transfers, logging of commands, on the fly compression and archiving, classification of users' type and location, per class limits, per directory upload permissions, restricted guest accounts, system wide and per directory messages, directory aliases, cdpath, filename filters, and virtual host support.

Configure System Logging
Keeping good system logs will make researching a compromise on your network much more productive. Chances are, you will never know how important this type of information is until you need it.

Restrict Access to System Logs
Make sure only root has write access to the following log files:


Log All su Activity
All su activity can be logged to a local file or to a loghost machine.

Note: You must use the tab key to enter whitespace characters in syslog.conf.

To Logging to a local file:

Edit /etc/syslog.conf add the entry:

auth.notice /var/log/authlog

To Logging to a loghost machine:

Edit /etc/syslog.conf, add the entry

auth.warning ifdef (`LOGHOST`, /var/log/authlog,@loghost)

where "loghost" is the name of the centralized logging server. Note: syslog uses UDP to send messages and therefore may not reliably transmit messages to the logging server. Also, syslog sends cleartext messages. This means other systems on the network could potentially read important log messages.

Unsuccessful user logins can be logged by doing the following:

touch /var/adm/loginlog
chown root:sys /var/adm/loginlog
chmod 644 /var/adm/loginlog

In this 12-part tip Unix expert Gary Smith breaks down the process of building and maintaining a highly secure Web services architecture on the Solaris platform.

Table of contents:
Part 1: Isolate the Web services host server
Part 2: Install and configure a very basic operating system
Part 3: Force the use of su to gain root access
Part 4: Disable trusted host relationships and create a warning banner
Part 5: Configuring user accounts
Part 6: Disabling and removing unnecessary accounts
Part 7: Configure network access control
Part 8: Configure network services
Part 9: Install OpenSSH, disable NFS and reboot
Part 10: Set file permissions
Part 11: Test the configuration
Part 12: Conclusion

This was last published in October 2002

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.